WordPress Plugin Vulnerabilities

Form Maker by 10Web < 1.13.3 - Authenticated SQL Injection

Description

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin was affected by an Authenticated SQL Injection security vulnerability.

Affects Plugins

Plugin icon
form-maker
Fixed in 1.13.3

References

CVE
CVE-2019-10866
URL
https://seclists.org/fulldisclosure/2019/May/8

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Daniele Scanu
Submitter
Ryan Dewhurst
Submitter website
https://wpscan.io
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
c8d18ebe-fa3f-48ec-9ae0-01204fce4765

Timeline

Publicly Published
2019-05-10 (about 7 years ago)
Added
2019-05-24 (about 6 years ago)
Last Updated
2020-07-12 (about 5 years ago)

Other

Published
Title
Published
2026-05-11
Title
AI Chatbot & Workflow Automation by AIWU <= 1.4.17 - Unauthenticated SQL Injection in getListForTbl()
Published
2026-01-05
Title
CBX Bookmark & Favorite < 2.0.5 - Authenticated (Subscriber+) SQL Injection via `orderby` Parameter
Published
2022-08-29
Title
Zephyr Project Manager < 3.2.5 - Multiple Unauthenticated SQLi
Published
2025-04-07
Title
coreActivity: Activity Logging for WordPress < 2.7.1 - Authenticated (Subscriber+) SQL Injection
Published
2024-02-01
Title
Ninja Forms Contact Form < 3.7.2 - Unauthenticated Second Order SQL Injection